What is the NERC CIP?

The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC’s area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the Electric Reliability Organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC’s jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 400 million people.

The NERC Critical Infrastructure Protection (NERC CIP) is a plan comprised of a set of requirements. The NERC CIP developed and designed a series of standards intended to protect any assets used to operate North America’s Bulk Electric System (BES).  NERC CIP is broken down into several sub-standards that give detailed directives on how to properly implement and enforce them.

NERC CIP standards

The NERC CIP is broken down into several sub-standards that give detailed directives on how to properly implement and enforce them covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. 

CIP 002: BES CYBER SYSTEM CATEGORIZATION

Purpose: To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.

CIP 003: CYBER SECURITY – SECURITY MANAGEMENT CONTROLS

To specify consistent and sustainable security management controls that establish responsibility and accountability to protect Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP 004: CYBER SECURITY – PERSONNEL & TRAINING

To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training and security awareness in support of protecting BES Cyber Systems.

CIP 005: CYBER SECURITY – ELECTRONIC SECURITY PERIMETER(S)

To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP 006: CYBER SECURITY – PHYSICAL SECURITY OF BES CYBER SYSTEMS

To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP 007: CYBER SECURITY – SYSTEM SECURITY MANAGEMENT

To manage system security by specifying select technical, operational and procedural requirements in support of protecting Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP 008: CYBER SECURITY – INCIDENT REPORTING AND RESPONSE PLANNING

To mitigate the risk to the reliable operation of the BES as the result of a cyber security incident by specifying incident response requirements.

CIP 009: CYBER SECURITY – RECOVERY PLANS FOR BES CYBER SYSTEMS

To recover reliability functions performed by BES Cyber Systems by specifying recovery planning requirements in support of the continued stability, operability and reliability of the BES.

CIP 010: CYBER SECURITY – CONFIGURATION CHANGE MANAGEMENT AND VULNERABILITY ASSESSMENTS

To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.

CIP 011: CYBER SECURITY – INFORMATION PROTECTION

To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP 012: CYBER SECURITY – COMMUNICATIONS BETWEEN CONTROL CENTERS (Note: Pending regulatory approval)

To protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.

CIP 013: CYBER SECURITY – SUPPLY CHAIN RISK MANAGEMENT

Effective 7/1/2020 – To mitigate cyber security risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems.

CIP 014: PHYSICAL SECURITY

To identify and protect Transmission stations and Transmission substations and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation or Cascading within an Interconnection.

As you can tell from the list of list of requirements above, NERC compliance is no easy task and is taken very seriously. Fines can reach up to $1M a day depending on the severity of the non-compliance. As our power grids remain one of the highly targeted assets for cyber criminals, it is imperative that these requirements be taken seriously. Triaxiom Security can assist with compliance of one or multiple requirements. Please reach out today and we would be happy to discuss.